|
In-Portal Issue Tracker - In-Portal CMS
|
|
Viewing Issue Advanced Details |
|
|
ID:
|
Category:
|
Type:
|
Reproducibility:
|
Date Submitted:
|
Last Update:
|
|
1362 |
[In-Portal CMS] Security |
feature request |
N/A |
2012-07-22 06:26 |
2012-10-18 10:37 |
|
|
Reporter:
|
alex |
Platform:
|
|
|
|
Assigned To:
|
alex |
OS:
|
|
|
|
Priority:
|
normal |
OS Version:
|
|
|
|
Status:
|
resolved |
Product Version:
|
5.0.0 |
|
|
Product Build:
|
|
Resolution:
|
fixed |
|
| |
|
ETA:
|
none |
Fixed in Version:
|
5.2.1-B1 |
|
|
Reference:
|
https://groups.google.com/d/topic/in-portal-dev/5Hm6xr5K188/discussion |
|
Change Log Message:
|
Improving password hashing algorithm |
|
Estimate Points:
|
2 |
|
|
Summary:
|
0001362: Use even more secure password hashing algorithm |
|
Description:
|
I recommend doing 2 things:
* use adaptive hashing algorithm to hash user's password
* use random salt for each of hashed password (this will ensure different hash even if 2 users use same password for their accounts).
Here how I see it's implemented:
1. add following column to Users (PortalUser) database table after Password field:
- PasswordHashingMethod (1 - md5; 2 - md5+phppass; 3 - phppass)
2. during an upgrade we:
- apply "phppass" hashing over md5 password we have in db
- write down "md5+phppass" as currently used hashing logic
3. at user login (only password isn't hashed via "phppass") we:
- take plain-text password user submits in login form
- hash it using "phppass"
- update Password, PasswordHashingMethod columns of that user
4. at user login (every time) we:
- look at value in PasswordHashingMethod column to determine hashing algorithm
- generate hash using that algorithm and user provided plain-text password
- compare hash to one, that is selected based on Username/Email provided by user from login form
5. when checking password from SystemSettings table (e.g. on "root" user login) we:
- first checking using phppass hashing algorithm
- if that failed, then check using salted md5 algorithm
- if that succeeded, then convert stored password using phppass hashing algorithm and store it to database |
|
Steps To Reproduce:
|
|
|
Additional Information:
|
More reading about this subject:
* http://www.openwall.com/phpass/
* http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html |
| Relationships | | related to | 0001414 | resolved (5.2.1) | alex | Centralize code for resource limit setting |
|
|
Attached Files:
|
 improved_password_hashing_core.patch (42,404) 2012-10-18 10:33
http://tracker.in-portal.org/file_download.php?file_id=1833&type=bug
improved_password_hashing_modules.patch (1,456) 2012-10-18 10:33
http://tracker.in-portal.org/file_download.php?file_id=1834&type=bug |
|
|
Issue History |
|
Date Modified |
Username |
Field |
Change |
|
2012-10-18 10:37 |
alex |
Note Added: 0005235 |
|
|
2012-10-18 10:37 |
alex |
Status |
reviewed and tested => resolved |
|
2012-10-18 10:37 |
alex |
Fixed in Version |
=> 5.2.1-B1 |
|
2012-10-18 10:37 |
alex |
Resolution |
open => fixed |
|
2012-10-18 10:37 |
alex |
Assigned To |
!COMMUNITY => alex |
|
2012-10-18 10:37 |
alex |
Changeset attached |
5.2.x r15590 |
|
2012-10-18 10:34 |
alex |
Changeset attached |
5.2.x r15589 |
|
2012-10-18 10:34 |
alex |
Note Added: 0005234 |
|
|
2012-10-18 10:34 |
alex |
Status |
needs testing => reviewed and tested |
|
2012-10-18 10:34 |
alex |
Assigned To |
=> !COMMUNITY |
|
2012-10-18 10:34 |
alex |
Developer |
=> alex |
|
2012-10-18 10:34 |
alex |
Status |
active => needs testing |
|
2012-10-18 10:33 |
alex |
File Added: improved_password_hashing_modules.patch |
|
|
2012-10-18 10:33 |
alex |
File Added: improved_password_hashing_core.patch |
|
|
2012-10-18 10:29 |
alex |
Relationship added |
related to 0001414 |
|
2012-10-18 10:22 |
alex |
Description Updated |
bug_revision_view_page.php?rev_id=1060#r1060 |
|
2012-10-18 05:57 |
alex |
Description Updated |
bug_revision_view_page.php?rev_id=1059#r1059 |
|
2012-07-25 05:39 |
alex |
Target Version |
5.2.0 => 5.2.1 |
|
2012-07-22 06:30 |
alex |
Reference |
=> https://groups.google.com/d/topic/in-portal-dev/5Hm6xr5K188/discussion |
|
2012-07-22 06:30 |
alex |
Change Log Message |
=> Improving password hashing algorithm |
|
2012-07-22 06:30 |
alex |
Estimate Points |
1 => 2 |
|
2012-07-22 06:30 |
alex |
Additional Information Updated |
bug_revision_view_page.php?rev_id=1033#r1033 |
|
2012-07-22 06:26 |
alex |
New Issue |
|
|
2012-07-22 06:26 |
alex |
Estimate Points |
=> 1 |